The European Parliament has voted in a new directive designed to increase the maximum sentences hackers can receive.
The legislation focuses on attacks designed to harm areas of critical national infrastructure or hijack company computer systems. Under the draft reform attacks on areas of critical infrastructure can now carry a maximum sentence of five years, while attempts to illegally access information systems can accrue a two year sentence in all European Union member states.
The directive also address Europe's growing Botnet problem. "When a significant number of information systems have been affected through the use of a tool (eg botnets) there is a maximum penalty of at least three years," reads the Commission's report on the legislation.
Botnets have been a massive issue across the world for many years now. The operations enslave computers using various malwares, letting hackers steal control of them and use them for a variety of nefarious schemes, including denial of service attacks and phishing scams.
Numerous technology firms, including Microsoft, have mounted joint operations with law enforcement to take down the zombie networks command and control servers. Most recently Microsoft teamed up with the FBI to take down the Citadel botnet. At its peak the botnet is believed to have controlled millions of infected PCs and stolen more than $500m in bank fraud.
Interestingly the move will allow nation states to take action against businesses selling botnet and hacking tools as well as those using them. It will also grant law enforcement the power to punish firm's paying or hackers to use the tools to steal information for them.
The Parliament in Strasbourg approved the legislation with a final vote count of 541 to 91 with nine abstentions on the proposal by the European Commission. Only Denmark has chosen to opt out of the rules preferring to keep its current cyber legislation. Other participating governments will now have two years to translate the decision into national law.
The news has been welcomed by European Commission, with Commissioner for Home Affairs, Cecilia Malmström said the move is a key step in the European Commission and Parliament's ongoing efforts to bolster the region's cyber defences.
"This is an important step to boost Europe's defences against cyber-attacks [...] The perpetrators of increasingly sophisticated attacks and the producers of related and malicious software can now be prosecuted, and will face heavier criminal sanctions. Member States will also have to quickly respond to urgent requests for help in the case of cyber-attacks, hence improving European justice and police cooperation," she said.
However, in the private sector many security companies have been less positive. Alienvault research team engineer, Conrad Constantine said the legislation will cause more harm than good as the people creating it do not understand cyber threats.
"Cybercrime is an oxymoron - we already have a word for it - 'Crime' - the reason 'cyber crimes' are criminal acts, is because they were criminal acts before computers were involved. Every time law tries to encode some particular use of technology into law, the result is inevitably fair poorly for civilians," he said.
"This is not to say that there are not edge cases that require some extension - determining how to prosecute a botnet operator may be difficult under current law, but not impossible, since whatever (existing) crimes the botnet is being used for, the botnet operator is complicit in. Having said that, more laws do not capture more criminals, they only turn more people into criminals."